The Layer Two Tunneling Protocol (L2TP) is a protocol used by both Internet Service Providers (ISPs) and Virtual Private Networks (VPNs). The prowess that L2TP can leverage for connectivity is of interest to VPNs, while ISPs can foster VPN operations with it.
L2TP is the outcome of combining two older protocols: Microsoft’s Point-to-Point Tunneling (PPTP) and Cisco’s Layer 2 Forwarding (L2F). The hybrid result, L2TP, combines the best of both worlds and improves upon them significantly. The protocol was born as the last century ended to replace earlier protocols. Technically, it’s the standard RF C26661.
Here’s what you need to know about L2TP:
- It needs to be paired with another protocol to maximize its benefits.
- It’s usually paired with IPSec, which brings security to the data load.
- The combination of L2TP and IPSec opens up a broad spectrum of possibilities regarding security features because it enables the use of AES 256-bit and the 3DES algorithm.
- L2TP’s packets feature double encapsulation, which improves their security. However, it also makes the protocol more taxing on the equipment.
- L2TP’s port of choice is 1701. But once IPSec comes into the mix, various other ports can become alive. For instance, port 500 will manage the Internet Key Exchange (IKE), 4500 for NAT, and 1701 (the original one) for L2TP traffic.
How does L2TP work?
L2TP creates a tunnel between two endpoints on the internet: the L2TP Access concentrator (LAC) and the L2TP network server (LNS).
Once the connection establishes between the two and becomes active, the protocol enables an encapsulated PPP layer.
Then, the next step is initializing the PPP connection from the ISP to the LAC. When the LAC accepts it, the PPP link comes online.
Next, a new free slot becomes assigned inside the tunnel, and the request goes to the LNS.
At this point, the connection needs authentication. Once the authenticity is established, a virtual PPP interface comes alive. And now, all the link frames can travel around the tunnel freely.
The last step completes at the LNS endpoint, where the protocol processes the accepted frames and removes the L2TP encapsulation.
How are IPSec and L2TP protocols related?
Maybe you often find “IPSec” whenever you read about L2TP protocol. Perhaps, you may frequently encounter the term “L2TP/IPSec” among connection protocols when looking for L2TP in a VPN.
IPSec (the acronym for “Internet Protocol Security”) is a separate connection protocol frequently used with L2TP.
As the name suggests, IPSec ensures “security” to the “internet protocol” by encrypting the data packets exchanged between two computers in a network. Hence, using IPSec in tandem with L2TP improves a connection’s security.
L2TP doesn’t perform at its best when the network deploys it alone. However, it becomes more robust, reliable, and efficient when running with IPSec. That’s why most VPN providers deploy the two protocols together to provide improved security to the users.
The L2TP/IPSec pairing – Looking under the hood
Since IPSec is a protocol that brings out the best in L2TP, it’s good to understand how these two protocols interact and potentiate each other. So here’s how it goes:
- The negotiation for IPSec security association (SA) occurs. (Here, “security association” is the agreement of shared security attributes between two networks to ensure secure data exchange.) This IPSec SA negotiation typically happens via IKE over the port 500.
- The protocol establishes the “Encapsulating Security Payload” (ESP) process as the transport mode. This ESP operates on top of IP (with IP protocol number 50), establishing a secure channel between two entities (such as the client and the VPN server) in a network. However, until this point, no tunneling happens.
- The IPSec protocol has completed its job at this point, so this is where L2TP comes alive. It’s in charge of creating the tunnel between both endpoints. L2TP sets the tunnel up via TCP port 1701. The negotiation for the tunnel occurs over IPSec encryption.